Advanced Encryption

Standard
Dr Savitha G
Dr Girisha S
Mr. Ashutosh Holla B
AES Structure
➢ Advanced Encryption Standard (AES) is a highly trusted encryption
algorithm used to secure data by converting it into an unreadable format
without the proper key. It is developed by the National Institute of
Standards and Technology (NIST) in 2001.
➢ The cipher takes a plaintext block size of 128 bits, or 16 bytes.
➢ The key length can be 16, 24, or 32 bytes (128, 192, or 256 bits). The
algorithm is referred to as AES-128, AES-192, or AES-256, depending on the
key length.
➢ The input to the encryption and decryption algorithms is a single 128-bit
block.
➢ State array, which is modified at each stage of encryption or decryption.
After the final stage, State is copied to an output matrix.
➢ The key is depicted as a square matrix of bytes. This key is then expanded
into an array of key schedule words.
➢ Each word is four bytes, and the total key schedule is 44 words for the 128-
bit key.
AES Structure
➢ Note that the ordering of bytes within a matrix is by column. So, for
example, the first four bytes of a 128-bit plaintext input to the encryption
cipher occupy the first column of the in matrix, the second four bytes occupy
the second column, and so on.

➢ Similarly,the first four bytes of the expanded key, which form a word,
occupy the first column of the w matrix.

➢ Thecipher consists of N rounds, where the number of rounds depends

on the key length: 10 rounds for a 16-byte key, 12 rounds for a 24-byte key,
and 14 rounds for a 32-byte key

➢ Thefirst N - 1 rounds consist of four distinct transformation functions:

SubBytes, ShiftRows, MixColumns, and AddRoundKey, which are described
subsequently.
AES Structure
➢ The final round contains only three transformations, and there is a
initial single transformation (AddRoundKey) before the first round,
which can be considered Round 0.

➢ Each transformation takes one or more 4 * 4 matrices as input and produces

a 4 * 4 matrix as output.

➢ Also, the key expansion function generates N + 1 round keys, each of which
is a distinct 4 * 4 matrix.

➢ Each round key serves as one of the inputs to the AddRoundKey

transformation in each round.
AES Structure
AES Structure
 Detailed Structure
➢ It is not a Feistel structure.
➢ In the classic Feistel structure, half of the data block is used to modify the other half of the data
block and then the halves are swapped.
➢ AES instead processes the entire data block as a single matrix during each round using
substitutions and permutation.

➢ The key that is provided as input is expanded into an array of forty-four 32-bit words,
w[i]. Four distinct words (128 bits) serve as a round key for each round

➢ Four different stages are used, one of permutation and three of substitution:
➢ Substitute bytes: Uses an S-box to perform a byte-by-byte substitution of the block.
➢ ShiftRows: A simple permutation.
➢ MixColumns: A substitution that makes use of arithmetic over GF(28 ).
➢ AddRoundKey: A simple bitwise XOR of the current block with a portion of the expanded key.
 Detailed Structure
➢ For both encryption and decryption, the cipher begins with an AddRoundKey stage,
followed by nine rounds that each includes all four stages, followed by a tenth round
of three stages
➢ Only the AddRoundKey stage makes use of the key. For this reason, the cipher begins
and ends with an AddRoundKey stage. Any other stage, applied at the beginning or end,
is reversible without knowledge of the key and so would add no security.
➢ Theother three stages together provide confusion, diffusion, and nonlinearity, but by
themselves would provide no security because they do not use the key
➢ We can view the cipher as alternating operations of XOR encryption (AddRoundKey) of a
block, followed by scrambling of the block (the other three stages), followed by XOR
encryption, and so on.
➢ This scheme is both efficient and highly secure.
➢ Each stage is easily reversible. For the Substitute Byte, ShiftRows, and MixColumns
stages, an inverse function is used in the decryption algorithm. For the AddRoundKey
stage, the inverse is achieved by XORing the same round key to the block, using the
result that A ⊕ B ⊕ B = A.
Detailed Structure
• Once it is established that all four stages are reversible, it is easy to verify
that decryption does recover the plaintext.

• The final round of both encryption and decryption consists of only three
stages. Again, this is a consequence of the particular structure of AES and is
required to make the cipher reversible
AES Transformation Function
➢ Substitute Bytes Transformation
➢The forward substitute byte transformation, called SubBytes, is a simple
table lookup
➢AES defines a 16 * 16 matrix of byte values, called an S-box That contains
a permutation of all possible 256 8-bit values.
➢Each individual byte of State is mapped into a new byte in the following
way:
➢ The leftmost 4 bits of the byte are used as a row value and the rightmost 4 bits
are used as a column value
➢ These row and column values serve as indexes into the S-box to select a unique 8-
bit output value.
➢ For example, the hexadecimal value {95} references row 9, column 5 of the S-box,
which contains the value {2A}. Accordingly, the value {95} is mapped into the
value {2A}
AES Transformation Function
AES Transformation Function
AES Transformation Function
• ShiftRows Transformation
 The first row of State is not altered. For the second row, a 1-byte circular left shift is
performed. For the third row, a 2-byte circular left shift is performed. For the fourth
row, a 3-byte circular left shift is performed. The following is an example of
ShiftRows.
 The inverse shift row transformation, called InvShiftRows, performs the circular
shifts in the opposite direction for each of the last three rows, with a 1-byte circular
right shift for the second row, and so on.
AES Transformation Function
• MixColumns Transformation:
 The forward mix column transformation, called MixColumns, operates on each
column individually. Each byte of a column is mapped into a new value that is a
function of all four bytes in that column. The transformation can be defined by the
following matrix multiplication on State
 Each element in the product matrix is the sum of products of elements of one row
and one column. In this case, the individual additions and multiplications are
performed in GF(28)
AES Transformation Function
• AddRoundKey Transformation:
 In the forward add round key transformation, called AddRoundKey, the 128 bits of
State are bitwise XORed with the 128 bits of the round key
 the operation is viewed as a columnwise operation between the 4 bytes of a State
column and one word of the round key; it can also be viewed as a byte-level
operation.
 The first matrix is State, and the second matrix is the round key. The inverse add
round key transformation is identical to the forward add round key transformation,
because the XOR operation is its own inverse.
AES Transformation Function
Groups, Rings and Fields
• Groups, rings, and fields are the fundamental elements of a branch
of mathematics known as abstract algebra, or modern algebra.

 Groups
 Rings
 Field
 Finite Fields
Group
➢A group (G, .) is a nonempty set G together with a binary operation . on G such
that the following conditions hold:

➢ Example: set of integers (Z,+)

➢ This
is an abelian group as it satisfies all the axioms and addition of numbers is
commutative
➢ Set of natural numbers is not a group
Rings
• A ring R, sometimes denoted by {R, +, *}, is a set of elements with two binary
operations, called addition and multiplication, such that for all a, b, c in R the
following axioms are obeyed:

• Example: Integers, Real numbers, complex numbers. A 2x3 matrix is a group but not a
ring
Rings
• The axioms (A1–A5) define an abelian group under addition. Specifically,
they ensure that the set RRR, along with addition, forms an abelian
(commutative) group. These axioms are:
 Field
• A field F, sometimes denoted by {F, +, x}, is a set of elements with two binary operations,
called addition and multiplication, such that for all a, b, c in F the following axioms are obeyed.
• A field is a set on which addition, subtraction, multiplication and division are defined
 Addition
 Additive inverse (5-3= 5+(-3))
 Multiplication
 Multiplicative inverse for every non zero element (3/5=3*1/5)

• Example; Set of rational numbers (a/b)

 They are commutative with addition a/b +c/d=c/d +a/b
 They are commutative with multiplication a/b*c/d=c/d*a/b
 All elements have a multiplicative inverse 2/3 * 3/2=1

• Set of integers do not form a field (5*1/5) (because it lacks multiplicative inverses for all
nonzero elements.)
 1/5 is not a part of integers
While numbers like 5 exist, their reciprocals (e.g., 1/5) do not belong to Z. This means
multiplication in Z is not closed under inverses, violating a key field property.
Finite Field
• Is a field with a finite number of elements

• The number of elements in a finite field also called as a Galois field

is always prime or power of a prime

• Finite field exists for only Pm elements where P is a prime and m is a

positive integer

• GF(2)=GF(21 ) = {0,1}

• GF(5)=GF(51 ) = {0,1,2,3,4}

• GF(81)=GF(34 )

• GF(256)=GF(28 ) 𝑈𝑠𝑒𝑑 𝑖𝑛 𝐴𝐸𝑆 28 can be thought of as 8 bits (0000 0000)

 As it is 28, it can take 2 values (0,1)
 +,-,*,/ can be performed
Prime field and Extension field
• GF(P) is called a prime field when m=1

• If m>1, then we have GF(Pm) these are called extension fields

• We are interested in GF(28) for AES

• The elements in this set are not integers. They are polynomials
Example
• We will look into GF(8)=GF(23 )
 This is an extension field (because 3>1)
 It has set of polynomials
 GF(23 )={000, 001, 010, 011, 100, 101, 110, 111} (a𝑥 2 +x+1)
 000 = 0
 001 = 1
 010 = x
 011 = x+1
 100 = 𝑥 2
 101 = 𝑥 2 +1
 110 = 𝑥 2 +x
 111 = 𝑥 2 +x+1
Example
• How to perform addition in GF(23 )

• Add 𝑥 2 +x+1 and 𝑥 2 +x

• Addition in GF is XOR operation

XOR Operation: If both bits are the same, the result is 0.

If the bits are different, the result is 1.
Example
• Multiplication in GF(23 )

𝐱 𝟐 +x+1 and 𝒙𝟐 +1
Using distributive property:(x2+x+1)⋅x2+(x2+x+1)⋅1
=𝒙𝟒 + 𝒙𝟑 + 𝒙𝟐 + 𝒙𝟐 + x+1 = 𝒙𝟒 + 𝒙𝟑 + x+1
• This is not there in the set. Hence, we have to use irreducible polynomial

• Generally given as constant. 𝒙𝟑 +x+1

• 𝒙𝟒 + 𝒙𝟑 + x+1 and its binary representation: 11011

• 𝒙𝟑 +x+1 and its binary representation: 1011

Key expansion in AES
Key expansion in AES
• Key (128 bits)

• 01110011011000010111….. 00111

• Representing it in Hex
 73 61 74 69 73 68 63 6a 69 73 62 6f 72 69 6e 67

• We need to convert it into 4x4 matrix

𝑏1 𝑏5 𝑏9 𝑏13
𝑏2 𝑏6 𝑏10 𝑏14
•
𝑏3 𝑏7 𝑏11 𝑏15
𝑏4 𝑏8 𝑏12 𝑏16
 Key expansion in AES
w0 w1 w2 w3 What is G:
g W4=W0 g(W3)
73 73 69 72
61 68 73 69
74 63 62 6e
69 6a 6f 67

w4 w5 w6 w7
73 73 69 72
61 68 73 69
74 63 62 6e
69 6a 6f 67
Key expansion in AES
What is G:
W4=W0 g(W3)

• RotWord is obtained by first performing cyclic left shift by one byte

• Next we need to find SubWord (Obtained by referring to S box)

• Substitute 69 as f9

W3 RotWord SubWord
72 69 F9
69 6e 9f
6e 67 85
67 72 40
Key expansion in AES
• Next we need to perform XOR (Y1) with a round constant, Rcon[j]
W3 RotWord SubWord
(X1) (Y1)
72 69 F9
69 6e 9f
6e 67 85
67 72 40

R1 R2 R3 R4 R5 R6 R7 R8 R9 R10
01 02 04 08 10 20 40 80 1b 36
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
AES Round example
128 bits 128 bits 128 bits

Round 0 (XOR) Sub Key 0= w0 w1 w2 w3

Round 1

Substitute Bytes

ShiftRows

MixColumns

AddRoundKey Sub Key 1= w4 w5 w6 w7

AES Round example

00 16 1a 17
04 1c 00 07
17 0e 03 01
1b 0f 0f 10

63 47 a2 f0
f2 9c 63 c5
f0 ab 7b 7c
af 76 76 ca
 AES Round example
• ShitRows:

• First row: No change

• Second row: one byte cyclic left shift

• Third row: two byte cyclic left shift

• Fourth row: three byte cyclic shift

63 47 a2 f0 63 47 a2 f0
f2 9c 63 c5 9c 63 c5 F2
f0 ab 7b 7c 7b 7c f0 ab
af 76 76 ca ca af 76 76
AES Round example
MixColumns

02 03 01 01 63 47 a2 f0
01 02 03 01 9c 63 c5 F2
01 01 02 03 * 7b 7c f0 ab
03 01 01 02 ca af 76 76

(02 x 63) + (03 x 9c) + (01 x 7b) + (01 x ca) = r1 r1 r5 r9 r13

(01 x 63) + (01 x 9c) + (03 x 7b) + (01 x ca) = r2 r2 r6 r10 r14
(01 x 63) + (01 x 9c) + (02 x 7b) + (03 x ca) = r3 r3 r7 r11 r15
(03 x 63) + (01 x 9c) + (01 x 7b) + (02 x ca) = r4
r4 r8 r12 r16
AES Round example
MixColumns:
• Every operation is done in finite field
• Operations are done in Galois Field
• Example: Consider the multiplication of 02 x 63 (Hex)
• Represent this in Binary
 02 - 0000 0010
 63 - 0110 0011

• Represented as polynomial in GF(2 8)

• A polynomial in GF (28)= 𝑥 7 + 𝑥 6 + 𝑥 5 + 𝑥 4 + 𝑥 3 + 𝑥 2 + 𝑥 1 +1
• 02 - 0000 0010 - 𝒙
• 63 - 0110 0011 - 𝒙𝟔 + 𝒙𝟓 + 𝒙𝟏 +1
AES Round example
• Multiply: 𝒙 *
𝒙𝟔 + 𝒙𝟓 + 𝒙𝟏 +1
= 𝒙𝟕 + 𝒙𝟔 + 𝒙𝟐 + 𝒙
• Represent it in Binary: 1100 0110 = C6 (Hex)
Example 2: (02 x 63) + (03 x 9c) + (01 x 7b) + (01 x ca)
(0000 0010) (0110 0011) + 𝒙 ∗ (𝒙𝟔 + 𝒙𝟓 + 𝒙𝟏 + 𝟏)
(0000 0011) (1001 1100) + (𝒙 + 𝟏) ∗ (𝒙𝟕 + 𝒙𝟒 + 𝒙𝟑 + 𝒙𝟐 )
(0000 0001) (0111 1011) + 𝟏 ∗ (𝒙𝟔 + 𝒙𝟓 + 𝒙𝟒 + 𝒙𝟑 + 𝒙 + 𝟏)
(0000 0001) (1100 1010) 𝟏 ∗ (𝒙𝟕 + 𝒙𝟔 + 𝒙𝟑 + 𝐱)
= 𝒙𝟕 + 𝒙𝟔 + 𝒙𝟐 + 𝐱 + 𝒙𝟖 + 𝒙𝟓 + 𝒙𝟒 + 𝒙𝟑 + 𝒙𝟕 + 𝒙𝟒 + 𝒙𝟑 + 𝒙𝟐 + 𝒙𝟔 + 𝒙𝟓 + 𝒙𝟒 + 𝒙𝟑 +
𝒙 + 𝟏 + 𝒙𝟕 + 𝒙𝟔 + 𝒙𝟑 + 𝒙
= 𝒙𝟖 + 𝒙𝟕 + 𝒙𝟔 + 𝒙𝟒 + 𝒙 + 𝟏
𝑮𝑭 𝟐𝟖 = 𝒙𝟕 + 𝒙𝟔 + 𝒙𝟓 + 𝒙𝟒 + 𝒙𝟑 + 𝒙𝟐 + 𝒙𝟏 +1
AES Round example
• We need to use irreducible polynomial p(x) =𝑥 8 + 𝑥 4 + 𝑥 3 + 𝑥 +1

• In binary: 𝒙𝟖 + 𝒙𝟕 + 𝒙𝟔 + 𝒙𝟒 + 𝒙 + 𝟏 = 111010011

• In binary: 𝒙𝟖 + 𝒙𝟒 + 𝒙𝟑 + 𝒙 +1 = 100011011
AES Round example
MixColumns

02 03 01 01 63 47 a2 f0
01 02 03 01 9c 63 c5 F2
01 01 02 03 * 7b 7c f0 ab
03 01 01 02 ca af 76 76

(02 x 63) + (03 x 9c) + (01 x 7b) + (01 x ca) = r1 r1 r5 r9 r13

(01 x 63) + (01 x 9c) + (03 x 7b) + (01 x ca) = r2 r2 r6 r10 r14
(01 x 63) + (01 x 9c) + (02 x 7b) + (03 x ca) = r3 r3 r7 r11 r15
(03 x 63) + (01 x 9c) + (01 x 7b) + (02 x ca) = r4
r4 r8 r12 r16
AES Round example
• Finally perform XOR with the SubKey

128 bits 128 bits 128 bits

Round 0 (XOR) Sub Key 0= w0 w1 w2 w3

Round 1

Substitute Bytes

ShiftRows

MixColumns

AddRoundKey Sub Key 1= w4 w5 w6 w7

AES Round example
END